The education, government, and business services sectors have been warned of a growing number of infections coming from the operators of NetSupport RAT. At least 15 new incidents related to the RAT have appeared in the past few weeks. Another malware campaign has emerged in the wild, targeting Android users via WhatsApp and Telegram. Microsoft experts revealed that it impersonates legitimate organizations as part of its social engineering techniques to trick victims into installing malicious apps. The fraudulent apps, disguised as banking applications, aim to harvest sensitive data, including financial details and credentials.

New threats hover over Linux systems at the hands of Kinsing threat actors who are exploiting a critical Apache ActiveMQ vulnerability. They are reportedly installing cryptocurrency miners and rootkits on Linux systems. Meanwhile, a swath of malware attacks is targeting South Korean communications companies and semiconductor manufacturers.

Top Breaches Reported in the Last 24 Hours

Government contractors attacked

Two Canadian government contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, suffered a security breach that exposed the sensitive information of an undisclosed number of government employees. Data of current and former Government of Canada employees, Canadian Armed Forces members, and Royal Canadian Mounted Police personnel has been compromised. The LockBit ransomware gang has claimed responsibility for the attack on SIRVA, leaking 1.5TB of stolen data.

PJ &A exposes health records of millions of patients

A significant cyberattack on medical transcription company PJ&A led to a major data breach affecting nearly nine million patients. Northwell Health, New York's largest healthcare provider, confirmed that approximately 3.89 million of its patients were impacted, with an additional 1.2 million patients from Cook County Health in Illinois affected. The breach, considered among the most severe medical data breaches, compromised sensitive health data, including diagnoses and SSNs.

Over four million more hit by MOVEit breach

Healthcare platform Welltok and California's Medical Eye Services have surfaced as the latest victims of the attack on the MOVEit file transfer software with an additional four million patients' data being compromised. With this, the MOVEit attacks have affected at least 2,618 organizations, exposing data on over 77 million individuals. Sectors most impacted include education, healthcare, and financial services.

Vaccination records of 2 Million Turkish citizens exposed

Researchers at SafetyDetectives uncovered a significant data breach, revealing the personal details of more than two million Turkish citizens, including vaccination records spanning from 2015 to 2023. The leak incident could have severe consequences as there is another database on the same forum containing the personal data of over 49 million Turkish citizens, circling in the underworld forums since at least 2016.

National Laboratory’s employee data under risk

The Idaho National Laboratory (INL) fell victim to a cyberattack orchestrated by the SiegedSec group. The breach, confirmed by INL, compromised employee data stored in its Human Resources application. SiegedSec claimed to have accessed substantial employee information, including full names, social security numbers, bank details, and addresses, affecting hundreds of thousands of individuals.

Top Malware Reported in the Last 24 Hours

Phobos ransomware variant targets VX-Underground

A new variant of the Phobos ransomware is framing the VX-Underground malware-sharing collective in its attacks. The malware appends the extension ".id[unique_id].[staff@vx-underground.org].VXUG" to encrypted files, suggesting VX-Underground's involvement. The ransom notes reference VX-Underground's decryption password and provide contact information. This tactic could potentially be aiming to frame or damage the reputation of an authentic platform.

Apache flaw exploited for crypto-mining

The threat group behind the Kinsing malware is actively exploiting a critical vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. Once compromised, the attackers deploy a cryptocurrency mining script, exploiting the host's resources for illicit profits. The group is known for targeting misconfigured containerized environments and quickly adapting tactics to exploit newly disclosed flaws.

Surge in NetSupport RAT infections

The VMware Carbon Black Managed Detection & Response team warned of a spike in NetSupport RAT infections, impacting the education, government, and business services sectors. These attacks distribute NetSupport RAT through fake browser updates, with victims tricked into downloading such updates from compromised websites. The attackers utilize a JavaScript payload, and upon execution, it retrieves a ZIP archive containing NetSupport RAT.

Android malware dropped via social media lures

Android users in India are being targeted by a new malware campaign that uses social engineering tactics on platforms like WhatsApp and Telegram. Attackers impersonate legitimate organizations, such as banks and government services, to trick users into installing malicious apps. The fraudulent apps claim to allows users to update their permanent account number (PAN), issued by the Indian Income Tax Department. The apps prompt users to enter sensitive information, including payment card details and online banking credentials.

Malware distribution through asset management programs

The Andariel group, known to have connections with the Lazarus group, has been identified distributing malware through asset management programs. Recent targets include Log4Shell and Innorix agents, across various sectors in South Korea. The group uses malware such as TigerRAT, NukeSped variants, Black RAT, and Lilith RAT for their attacks. These backdoors support various features, including file upload/download, command execution, information collection, keylogging, and port forwarding.

Agent Tesla malware evolves

A novel variant of the notorious Agent Tesla malware has emerged, leveraging the ZPAQ compression format for delivery, allowing threat actors to steal data from nearly 40 web browsers and various email clients. The ZPAQ file attachment in phishing emails is disguised as a PDF document. The extracted .NET executable, artificially inflated to 1 GB with zero bytes, aims to bypass traditional security measures. The malware's ultimate goal is to download and deploy Agent Tesla.